As the hotel industry has been discovering to its cost, cybercriminals are a part of the population that doesn’t seem to take holidays.

Recent days have seen an unspecified possible breach in the reservation payment systems run by US company Sabre for 32,000 hotels and lodges, which prompted it to call forensics Ghostbusters Mandiant to work out what’s been haunting its network.

Sabre spouted the usual not-at-all-reassuring platitudes:

The unauthorized access has been shut off and there is no evidence of continued unauthorized activity.

Coming only days after InterContinental Hotels Group released details of the malware used to steal credit card numbers from inside as many as 1,200 of its hotels last year and this starts to look like a trend that can be summed up by the phrase, “this industry’s security is rubbish”.

In fact, hotel industry breaches of card terminals are less a trend than a fixed point of reference that doesn’t seem to be changing, with numerous incidents reported by other big chains in recent times.

There are also the occasional leftfield incidents such as the DarkHotel attack of 2014, apparently a nation state operation aimed at carrying out location tracking surveillance on high-value guests.

Hotel security has two dimensions: the hotel systems themselves and the internet connectivity they offer to guests through a wired or Wi-Fi connection.

As the incidents above demonstrate, the former is something customers can do little about beyond using more secure Europay Mastercard Visa (EMV) cards based on chip & Pin encryption that stop criminals sniffing numbers from terminals. It’s not as if guests can avoid handing over their cards – hotels invariably ask for them upfront during check-in.

The second, hotel connectivity, offers more choice but also more complexity. Hotel Wi-Fi secured with encryption is becoming common at larger chains but some still default to open, unencrypted connections served through a captive portal. As the name suggests, “captive portals” are captive and not secure.

Our recommendation is to use a physical Ethernet port if one is offered although this means carrying a length of cable to plug into it and isn’t possible for all devices.

Hotspot 2.0

If a captive portal or hotspot is the only option, the first hurdle is identifying the correct one, normally from little more than a plausible-sounding name. Recently, the Wi-Fi Alliance invented something called Hotspot 2.0 (HS2, or 802.11u) so that devices supporting it will know which are genuine and connect to them automatically. HS2 also enforces WPA-2 Enterprise encryption.

Support for this in computers and hotspots is very low right now but the standard offers real hope. In Windows 10 you can check whether it’s supported by typing in the search box:

cmd
netsh wlan show wirelesscapabilities

Scroll down and look for ANQP Service Information Discovery. If it says “not supported”, you have a wait on your hands for an update.

HTTPS

We’d like to say that HTTPS (which encrypts the connection between client and server at the transport layer) is secure but the Heartbleed OpenSSL vulnerability of 2014 reminded us not to take this on trust. There’s also the remote possibility of a flaw in a particular server’s implementation as was the case recently with F5’s ‘Ticketbleed’ reprise of the problem.

VPNs

Beyond that, you enter the world of VPNs, which set up an encrypted tunnel between a computer and a remote server. Many are offered free of charge but remember that while they might hide your connection from prying eyes, they can still see you and some have been accused of selling customer data to marketing firms.

To most people, hotels are still about getting away from it all. Cybercrime is a reminder that in the digital world, no such thing exists.

One comment on “Going travelling? Don’t drop your guard when you’re on the road”

As WOS encrypts the connection only between the computer and the Wi-Fi acsess point it only has 2 uses:
1. Protect the computers on a LAN from external threats via a common firewall (rendered irrelevant as most computers block incoming connections by default) or
2. To protect acsess to a LAN only server (which I doubt a hotel has any of).
Both of these are rendered irrelevant if the password is publicly avalible like in a hotel and due to Wi-Fi’s limited range I doubt anyone would attempt to mount an attack over hotel Wi-Fi without booking into the hotel in the first place taking you back to square 1.